The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Source: www.slideshare.net/stephendale/information-management-life-cycle-presentation Create/Capture: How you receive or create data, whether captured from a website, a file transfer or a physical acquisition, will affect handling. Each point of entry requires different forms of protection. Commonly accepted, secure methods for creation and capture for each type of procurement are as follows: • Website Capture: Secure Socket Layer (SSL) • File Transfer: Secure File Transfer Program (SFTP), Virtual Private Network (VPN), file encryption • Physical: Secure media room to image and ingest the data, background checks of personnel Index and Classify: Now that the data have been securely acquired, you must be sure to apply the appropriate rules. The first step is to identify the type of data acquired. Is it personally identifiable information (PII), an image or a document? What kind of document? Carefully sifting and sorting the data into the correct "bucket types" will greatly aid in the compliance with international data privacy regulations. Store/Manage: Based on classification, how do you provide adequate protection? Where will the data be stored? This information will drive what protection controls are applied. If the data are PII or potential PII, then there could be a legal requirement to store the data in a disk-based encryption format and encrypt backup copies of the data. Retrieve/Publish: Once you have securely transferred data across the border, you must then make it available for use. Here's how: • Control access to systems that the critical data may potentially traverse, such as network paths that enable cross-border data transfers Process: Ensure the data are only used for authorized purposes and in compliance with applicable laws. Application controls and metadata tagging generated during the index and classify stage are helpful during this phase. Archive: When the data are no longer needed for production purposes, issues of long-term storage in compliance with your data retention policy and applicable legal requirements arise. Is the backup onsite or offsite? Do your backups cross international borders? Are the backups governed by other countries' privacy and data protection laws? The answers to these questions will help ensure that all potential risk areas are mitigated. Destroy: At every stage, ensure protected data are rendered unusable, in accordance with applicable legislation. Ensure destruction of archives, files, physical copies and any other copies created during the lifecycle of the data. (Exceptions: There could always be an exception to the rule, so make sure you have processes in place for data excluded from regularly scheduled destruction cycles. Data subject to legal holds and discovery requests, as well as data governed by cross-border privacy legislation, are commonly excepted from data destruction for the duration of the matter at hand.) • Encrypt at each step of the process (when transferring, in storage and while displaying) • Leverage encryption-key management to prevent decryption of protected data in countries to which that data must not be transferred 78 Peer to Peer